2018-07-25 02:02:27 +00:00
|
|
|
|
---
|
2020-01-18 00:18:09 +00:00
|
|
|
|
layout: docs
|
|
|
|
|
page_title: Vault Agent
|
2018-07-25 02:02:27 +00:00
|
|
|
|
description: |-
|
|
|
|
|
Vault Agent is a client-side daemon that can be used to perform some Vault
|
|
|
|
|
functionality automatically.
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
# Vault Agent
|
|
|
|
|
|
2021-11-24 20:41:11 +00:00
|
|
|
|
A valid client token must accompany most requests to Vault. This
|
|
|
|
|
includes all API requests, as well as via the Vault CLI and other libraries.
|
|
|
|
|
Therefore, Vault clients must first authenticate with Vault to acquire a token.
|
|
|
|
|
Vault provides several different authentication methods to assist in
|
|
|
|
|
delivering this initial token.
|
|
|
|
|
|
|
|
|
|
![Client authentication](/img/diagram-vault-agent.png)
|
|
|
|
|
|
|
|
|
|
If the client can securely acquire the token, all subsequent requests (e.g., request
|
|
|
|
|
database credentials, read key/value secrets) are processed based on the
|
|
|
|
|
trust established by a successful authentication.
|
|
|
|
|
|
|
|
|
|
This means that client application must invoke the Vault API to authenticate
|
|
|
|
|
with Vault and manage the acquired token, in addition to invoking the API to
|
|
|
|
|
request secrets from Vault. This implies code changes to client applications
|
|
|
|
|
along with additional testing and maintenance of the application.
|
|
|
|
|
|
|
|
|
|
The following code example implements Vault API to authenticate with Vault
|
|
|
|
|
through [AppRole auth method](/docs/auth/approle#code-example), and then uses
|
|
|
|
|
the returned client token to read secrets at `kv-v2/data/creds`.
|
|
|
|
|
|
|
|
|
|
```go
|
|
|
|
|
package main
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
...snip...
|
|
|
|
|
vault "github.com/hashicorp/vault/api"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// Fetches a key-value secret (kv-v2) after authenticating via AppRole
|
|
|
|
|
func getSecretWithAppRole() (string, error) {
|
2022-02-18 01:10:26 +00:00
|
|
|
|
config := vault.DefaultConfig()
|
2021-11-24 20:41:11 +00:00
|
|
|
|
|
|
|
|
|
client := vault.NewClient(config)
|
2022-02-18 01:10:26 +00:00
|
|
|
|
wrappingToken := ioutil.ReadFile("path/to/wrapping-token")
|
2021-11-24 20:41:11 +00:00
|
|
|
|
unwrappedToken := client.Logical().Unwrap(strings.TrimSuffix(string(wrappingToken), "\n"))
|
2022-02-18 01:10:26 +00:00
|
|
|
|
|
2021-11-24 20:41:11 +00:00
|
|
|
|
secretID := unwrappedToken.Data["secret_id"]
|
|
|
|
|
roleID := os.Getenv("APPROLE_ROLE_ID")
|
|
|
|
|
|
|
|
|
|
params := map[string]interface{}{
|
|
|
|
|
"role_id": roleID,
|
|
|
|
|
"secret_id": secretID,
|
|
|
|
|
}
|
|
|
|
|
resp := client.Logical().Write("auth/approle/login", params)
|
|
|
|
|
client.SetToken(resp.Auth.ClientToken)
|
|
|
|
|
|
|
|
|
|
secret, err := client.Logical().Read("kv-v2/data/creds")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", fmt.Errorf("unable to read secret: %w", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
data := secret.Data["data"].(map[string]interface{})
|
2022-02-18 01:10:26 +00:00
|
|
|
|
|
2021-11-24 20:41:11 +00:00
|
|
|
|
...snip...
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
For some Vault deployments, making (and maintaining) these changes to
|
|
|
|
|
applications may not be a problem, and may actually be preferred. This may be
|
|
|
|
|
applied to scenarios where you have a small number of applications or you want
|
|
|
|
|
to keep strict, customized control over how each application interacts with
|
|
|
|
|
Vault. However, in other situations where you have a large number of
|
|
|
|
|
applications, as in large enterprises, you may not have the resources or expertise
|
|
|
|
|
to update and maintain the Vault integration code for every application. When
|
|
|
|
|
third party applications are being deployed by the application, it is prohibited
|
2022-02-18 01:10:26 +00:00
|
|
|
|
to add the Vault integration code.
|
2021-11-24 20:41:11 +00:00
|
|
|
|
|
|
|
|
|
Vault Agent aims to remove this initial hurdle to adopt Vault by providing a
|
|
|
|
|
more scalable and simpler way for applications to integrate with Vault.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## What is Vault Agent?
|
|
|
|
|
|
2019-03-15 16:33:31 +00:00
|
|
|
|
Vault Agent is a client daemon that provides the following features:
|
|
|
|
|
|
2022-02-18 01:10:26 +00:00
|
|
|
|
- [Auto-Auth][autoauth] - Automatically authenticate to Vault and manage the
|
2021-11-24 20:41:11 +00:00
|
|
|
|
token renewal process for locally-retrieved dynamic secrets.
|
2022-02-18 01:10:26 +00:00
|
|
|
|
- [Caching][caching] - Allows client-side caching of responses containing newly
|
2021-11-24 20:41:11 +00:00
|
|
|
|
created tokens and responses containing leased secrets generated off of these
|
|
|
|
|
newly created tokens. The agent also manages the renewals of the cached tokens and leases.
|
2022-02-18 01:10:26 +00:00
|
|
|
|
- [Windows Service][winsvc] - Allows running the Vault Agent as a Windows
|
2021-11-24 20:41:11 +00:00
|
|
|
|
service.
|
2022-02-18 01:10:26 +00:00
|
|
|
|
- [Templating][template] - Allows rendering of user-supplied templates by Vault
|
2021-11-24 20:41:11 +00:00
|
|
|
|
Agent, using the token generated by the Auto-Auth step.
|
2018-07-25 02:02:27 +00:00
|
|
|
|
|
2019-03-15 16:33:31 +00:00
|
|
|
|
|
2018-07-25 02:02:27 +00:00
|
|
|
|
## Auto-Auth
|
|
|
|
|
|
2021-11-24 20:41:11 +00:00
|
|
|
|
Vault Agent allows easy authentication to Vault in a wide variety of
|
2019-03-15 16:33:31 +00:00
|
|
|
|
environments. Please see the [Auto-Auth docs][autoauth]
|
2018-07-25 02:02:27 +00:00
|
|
|
|
for information.
|
|
|
|
|
|
|
|
|
|
Auto-Auth functionality takes place within an `auto_auth` configuration stanza.
|
|
|
|
|
|
2019-03-15 16:33:31 +00:00
|
|
|
|
## Caching
|
|
|
|
|
|
2019-08-29 19:44:31 +00:00
|
|
|
|
Vault Agent allows client-side caching of responses containing newly created tokens
|
2019-03-15 16:33:31 +00:00
|
|
|
|
and responses containing leased secrets generated off of these newly created tokens.
|
|
|
|
|
Please see the [Caching docs][caching] for information.
|
|
|
|
|
|
2022-02-25 10:29:05 +00:00
|
|
|
|
## API
|
|
|
|
|
|
|
|
|
|
### Quit
|
|
|
|
|
|
|
|
|
|
This endpoints triggers shutdown of the agent. By default, it is disabled, and can
|
|
|
|
|
be enabled per listener using the [`agent_api`][agent-api] stanza. It is recommended
|
|
|
|
|
to only enable this on trusted interfaces, as it does not require any authorization to use.
|
|
|
|
|
|
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :--------------- |
|
|
|
|
|
| `POST` | `/agent/v1/quit` |
|
|
|
|
|
|
|
|
|
|
### Cache
|
|
|
|
|
|
|
|
|
|
See the [caching](/docs/agent/caching#api) page for details on the cache API.
|
|
|
|
|
|
2018-07-25 02:02:27 +00:00
|
|
|
|
## Configuration
|
|
|
|
|
|
2018-07-30 14:37:04 +00:00
|
|
|
|
These are the currently-available general configuration option:
|
2018-07-25 02:02:27 +00:00
|
|
|
|
|
2020-05-07 22:10:49 +00:00
|
|
|
|
- `vault` <code>([vault][vault]: <optional\>)</code> - Specifies the remote Vault server the Agent connects to.
|
2019-03-15 16:33:31 +00:00
|
|
|
|
|
2020-05-07 22:10:49 +00:00
|
|
|
|
- `auto_auth` <code>([auto_auth][autoauth]: <optional\>)</code> - Specifies the method and other options used for Auto-Auth functionality.
|
2019-03-15 16:33:31 +00:00
|
|
|
|
|
2020-05-07 22:10:49 +00:00
|
|
|
|
- `cache` <code>([cache][caching]: <optional\>)</code> - Specifies options used for Caching functionality.
|
2019-03-15 16:33:31 +00:00
|
|
|
|
|
2020-05-07 22:10:49 +00:00
|
|
|
|
- `listener` <code>([listener][listener]: <optional\>)</code> - Specifies the addresses and ports on which the Agent will respond to requests.
|
2019-10-17 14:08:59 +00:00
|
|
|
|
|
2018-07-25 02:02:27 +00:00
|
|
|
|
- `pid_file` `(string: "")` - Path to the file in which the agent's Process ID
|
2018-07-30 14:37:04 +00:00
|
|
|
|
(PID) should be stored
|
|
|
|
|
|
|
|
|
|
- `exit_after_auth` `(bool: false)` - If set to `true`, the agent will exit
|
|
|
|
|
with code `0` after a single successful auth, where success means that a
|
|
|
|
|
token was retrieved and all sinks successfully wrote it
|
2018-07-25 02:02:27 +00:00
|
|
|
|
|
2020-05-07 22:10:49 +00:00
|
|
|
|
- `template` <code>([template][template]: <optional\>)</code> - Specifies options used for templating Vault secrets to files.
|
Vault Agent Template (#7652)
* Vault Agent Template: parse templates (#7540)
* add template config parsing, but it's wrong b/c it's not using mapstructure
* parsing consul templates in agent config
* add additional test to configuration parsing, to cover basics
* another test fixture, rework simple test into table
* refactor into table test
* rename test
* remove flattenKeys and add other test fixture
* Update command/agent/config/config.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* return the decode error instead of swallowing it
* Update command/agent/config/config_test.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* go mod tidy
* change error checking style
* Add agent template doc
* TemplateServer: render secrets with Consul Template (#7621)
* add template config parsing, but it's wrong b/c it's not using mapstructure
* parsing consul templates in agent config
* add additional test to configuration parsing, to cover basics
* another test fixture, rework simple test into table
* refactor into table test
* rename test
* remove flattenKeys and add other test fixture
* add template package
* WIP: add runner
* fix panic, actually copy templates, etc
* rework how the config.Vault is created and enable reading from the environment
* this was supposed to be a part of the prior commit
* move/add methods to testhelpers for converting some values to pointers
* use new methods in testhelpers
* add an unblock channel to block agent until a template has been rendered
* add note
* unblock if there are no templates
* cleanups
* go mod tidy
* remove dead code
* simple test to starT
* add simple, empty templates test
* Update package doc, error logs, and add missing close() on channel
* update code comment to be clear what I'm referring to
* have template.NewServer return a (<- chan) type, even though it's a normal chan, as a better practice to enforce reading only
* Update command/agent.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* update with test
* Add README and doc.go to the command/agent directory (#7503)
* Add README and doc.go to the command/agent directory
* Add link to website
* address feedback for agent.go
* updated with feedback from Calvin
* Rework template.Server to export the unblock channel, and remove it from the NewServer function
* apply feedback from Nick
* fix/restructure rendering test
* Add pointerutil package for converting types to their pointers
* Remove pointer helper methods; use sdk/helper/pointerutil instead
* update newRunnerConfig to use pointerutil and empty strings
* only wait for unblock if template server is initialized
* drain the token channel in this test
* conditionally send on channel
2019-10-18 21:21:46 +00:00
|
|
|
|
|
2021-06-21 23:10:15 +00:00
|
|
|
|
- `template_config` <code>([template_config][template-config]: <optional\>)</code> - Specifies templating engine behavior.
|
|
|
|
|
|
2022-02-18 01:10:26 +00:00
|
|
|
|
- `telemetry` <code>([telemetry][telemetry]: <optional\>)</code> – Specifies the telemetry
|
|
|
|
|
reporting system. See the [telemetry Stanza](/docs/agent#telemetry-stanza) section below
|
|
|
|
|
for a list of metrics specific to Agent.
|
|
|
|
|
|
2019-03-15 16:33:31 +00:00
|
|
|
|
### vault Stanza
|
|
|
|
|
|
|
|
|
|
There can at most be one top level `vault` block and it has the following
|
|
|
|
|
configuration entries:
|
|
|
|
|
|
2020-05-09 19:52:13 +00:00
|
|
|
|
- `address` `(string: <optional>)` - The address of the Vault server. This should
|
2019-03-15 16:33:31 +00:00
|
|
|
|
be a complete URL such as `https://127.0.0.1:8200`. This value can be
|
|
|
|
|
overridden by setting the `VAULT_ADDR` environment variable.
|
|
|
|
|
|
2020-05-09 19:52:13 +00:00
|
|
|
|
- `ca_cert` `(string: <optional>)` - Path on the local disk to a single PEM-encoded
|
2019-03-15 16:33:31 +00:00
|
|
|
|
CA certificate to verify the Vault server's SSL certificate. This value can
|
|
|
|
|
be overridden by setting the `VAULT_CACERT` environment variable.
|
|
|
|
|
|
2020-05-09 19:52:13 +00:00
|
|
|
|
- `ca_path` `(string: <optional>)` - Path on the local disk to a directory of
|
2019-03-15 16:33:31 +00:00
|
|
|
|
PEM-encoded CA certificates to verify the Vault server's SSL certificate.
|
|
|
|
|
This value can be overridden by setting the `VAULT_CAPATH` environment
|
|
|
|
|
variable.
|
|
|
|
|
|
2020-05-09 19:52:13 +00:00
|
|
|
|
- `client_cert` `(string: <optional>)` - Path on the local disk to a single
|
2019-03-15 16:33:31 +00:00
|
|
|
|
PEM-encoded CA certificate to use for TLS authentication to the Vault server.
|
|
|
|
|
This value can be overridden by setting the `VAULT_CLIENT_CERT` environment
|
|
|
|
|
variable.
|
|
|
|
|
|
2020-05-09 19:52:13 +00:00
|
|
|
|
- `client_key` `(string: <optional>)` - Path on the local disk to a single
|
2019-03-15 16:33:31 +00:00
|
|
|
|
PEM-encoded private key matching the client certificate from `client_cert`.
|
|
|
|
|
This value can be overridden by setting the `VAULT_CLIENT_KEY` environment
|
|
|
|
|
variable.
|
|
|
|
|
|
2020-05-09 19:52:13 +00:00
|
|
|
|
- `tls_skip_verify` `(string: <optional>)` - Disable verification of TLS
|
2019-03-15 16:33:31 +00:00
|
|
|
|
certificates. Using this option is highly discouraged as it decreases the
|
|
|
|
|
security of data transmissions to and from the Vault server. This value can
|
|
|
|
|
be overridden by setting the `VAULT_SKIP_VERIFY` environment variable.
|
|
|
|
|
|
2020-05-09 19:52:13 +00:00
|
|
|
|
- `tls_server_name` `(string: <optional>)` - Name to use as the SNI host when
|
2019-10-29 13:11:01 +00:00
|
|
|
|
connecting via TLS. This value can be overridden by setting the
|
|
|
|
|
`VAULT_TLS_SERVER_NAME` environment variable.
|
|
|
|
|
|
2021-03-22 16:50:59 +00:00
|
|
|
|
#### retry Stanza
|
|
|
|
|
|
2021-06-21 23:10:15 +00:00
|
|
|
|
The `vault` stanza may contain a `retry` stanza that controls how failing Vault
|
|
|
|
|
requests are handled, whether these requests are issued in order to render
|
2021-03-22 16:50:59 +00:00
|
|
|
|
templates, or are proxied requests coming from the proxy cache subsystem.
|
|
|
|
|
Auto-auth, however, has its own notion of retrying and is not affected by this
|
|
|
|
|
section.
|
|
|
|
|
|
2021-06-21 23:10:15 +00:00
|
|
|
|
For requests from the templating engine, Agent will reset its retry counter and
|
|
|
|
|
perform retries again once all retries are exhausted. This means that templating
|
2021-08-24 21:26:56 +00:00
|
|
|
|
will retry on failures indefinitely unless `exit_on_retry_failure` from the
|
2021-06-21 23:10:15 +00:00
|
|
|
|
[`template_config`][template-config] stanza is set to `true`.
|
|
|
|
|
|
2021-03-22 16:50:59 +00:00
|
|
|
|
Here are the options for the `retry` stanza:
|
2021-04-06 17:49:04 +00:00
|
|
|
|
|
2021-03-22 16:50:59 +00:00
|
|
|
|
- `num_retries` `(int: 12)` - Specify how many times a failing request will
|
2021-04-06 17:49:04 +00:00
|
|
|
|
be retried. A value of `0` translates to the default, i.e. 12 retries.
|
|
|
|
|
A value of `-1` disables retries. The environment variable `VAULT_MAX_RETRIES`
|
2021-03-22 16:50:59 +00:00
|
|
|
|
overrides this setting.
|
|
|
|
|
|
2021-04-06 17:49:04 +00:00
|
|
|
|
There are a couple of subtleties to be aware of here. First, requests originating
|
2021-03-22 16:50:59 +00:00
|
|
|
|
from the proxy cache will only be retried if they resulted in specific HTTP
|
|
|
|
|
result codes: any 50x code except 501 ("not implemented"), as well as 412
|
|
|
|
|
("precondition failed"); 412 is used in Vault Enterprise 1.7+ to indicate a
|
2021-04-06 17:49:04 +00:00
|
|
|
|
stale read due to eventual consistency. Requests coming from the template
|
2021-03-22 16:50:59 +00:00
|
|
|
|
subsystem are retried regardless of the failure.
|
|
|
|
|
|
2021-06-21 23:10:15 +00:00
|
|
|
|
Second, templating retries may be performed by both the templating engine _and_
|
|
|
|
|
the cache proxy if Agent [persistent
|
|
|
|
|
cache][persistent-cache] is enabled. This is due to the
|
|
|
|
|
fact that templating requests go through the cache proxy when persistence is
|
|
|
|
|
enabled.
|
|
|
|
|
|
|
|
|
|
Third, the backoff algorithm used to set the time between retries differs for
|
2021-04-06 17:49:04 +00:00
|
|
|
|
the template and cache subsystems. This is a technical limitation we hope
|
2021-03-22 16:50:59 +00:00
|
|
|
|
to address in the future.
|
|
|
|
|
|
2019-10-17 14:08:59 +00:00
|
|
|
|
### listener Stanza
|
|
|
|
|
|
2020-05-15 11:51:52 +00:00
|
|
|
|
Agent supports one or more [listener][listener_main] stanzas. In addition to
|
2019-10-17 14:08:59 +00:00
|
|
|
|
the standard listener configuration, an Agent's listener configuration also
|
2022-02-25 10:29:05 +00:00
|
|
|
|
supports the following:
|
2019-10-17 14:08:59 +00:00
|
|
|
|
|
2020-05-07 22:10:49 +00:00
|
|
|
|
- `require_request_header` `(bool: false)` - Require that all incoming HTTP
|
2019-10-17 14:08:59 +00:00
|
|
|
|
requests on this listener must have an `X-Vault-Request: true` header entry.
|
2019-11-11 21:27:40 +00:00
|
|
|
|
Using this option offers an additional layer of protection from Server Side
|
2020-01-18 00:18:09 +00:00
|
|
|
|
Request Forgery attacks. Requests on the listener that do not have the proper
|
|
|
|
|
`X-Vault-Request` header will fail, with a HTTP response status code of `412: Precondition Failed`.
|
2019-10-17 14:08:59 +00:00
|
|
|
|
|
2022-02-25 10:29:05 +00:00
|
|
|
|
- `agent_api` <code>([agent_api][agent-api]: <optional\>)</code> - Manages optional Agent API endpoints.
|
|
|
|
|
|
|
|
|
|
#### agent_api Stanza
|
|
|
|
|
|
|
|
|
|
- `enable_quit` `(bool: false)` - If set to `true`, the agent will enable the [quit](/docs/agent#quit) API.
|
|
|
|
|
|
2022-02-18 01:10:26 +00:00
|
|
|
|
### telemetry Stanza
|
|
|
|
|
|
|
|
|
|
Vault Agent supports the [telemetry][telemetry] stanza and collects various
|
|
|
|
|
runtime metrics about its performance, the auto-auth and the cache status:
|
|
|
|
|
|
|
|
|
|
| Metric | Description | Type |
|
|
|
|
|
| -------------------------------- | ---------------------------------------------------- | ------- |
|
|
|
|
|
| `vault.agent.auth.failure` | Number of authentication failures | counter |
|
|
|
|
|
| `vault.agent.auth.success` | Number of authentication successes | counter |
|
|
|
|
|
| `vault.agent.proxy.success` | Number of requests successfully proxied | counter |
|
|
|
|
|
| `vault.agent.proxy.client_error` | Number of requests for which Vault returned an error | counter |
|
|
|
|
|
| `vault.agent.proxy.error` | Number of requests the agent failed to proxy | counter |
|
|
|
|
|
| `vault.agent.cache.hit` | Number of cache hits | counter |
|
|
|
|
|
| `vault.agent.cache.miss` | Number of cache misses | counter |
|
|
|
|
|
|
|
|
|
|
|
2021-11-24 20:41:11 +00:00
|
|
|
|
|
2022-02-18 01:10:26 +00:00
|
|
|
|
## Start Vault Agent
|
2021-11-24 20:41:11 +00:00
|
|
|
|
|
2022-02-18 01:10:26 +00:00
|
|
|
|
To run Vault Agent:
|
2021-11-24 20:41:11 +00:00
|
|
|
|
|
|
|
|
|
1. [Download](/downloads) the Vault binary where the client application runs
|
2022-02-18 01:10:26 +00:00
|
|
|
|
(virtual machine, Kubernetes pod, etc.)
|
2021-11-24 20:41:11 +00:00
|
|
|
|
|
|
|
|
|
1. Create a Vault Agent configuration file. (See the [Example
|
2022-02-18 01:10:26 +00:00
|
|
|
|
Configuration](#example-configuration) section for an example configuration.)
|
2021-11-24 20:41:11 +00:00
|
|
|
|
|
|
|
|
|
1. Start a Vault Agent with the configuration file.
|
|
|
|
|
|
|
|
|
|
**Example:**
|
|
|
|
|
|
|
|
|
|
```shell-session
|
2021-12-07 01:23:03 +00:00
|
|
|
|
$ vault agent -config=/etc/vault/agent-config.hcl
|
2021-11-24 20:41:11 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
To get help, run:
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ vault agent -h
|
|
|
|
|
```
|
|
|
|
|
|
2018-07-25 02:02:27 +00:00
|
|
|
|
## Example Configuration
|
|
|
|
|
|
|
|
|
|
An example configuration, with very contrived values, follows:
|
|
|
|
|
|
|
|
|
|
```python
|
|
|
|
|
pid_file = "./pidfile"
|
|
|
|
|
|
2019-03-15 16:33:31 +00:00
|
|
|
|
vault {
|
2021-03-22 16:50:59 +00:00
|
|
|
|
address = "https://127.0.0.1:8200"
|
|
|
|
|
retry {
|
|
|
|
|
num_retries = 5
|
|
|
|
|
}
|
2019-03-15 16:33:31 +00:00
|
|
|
|
}
|
|
|
|
|
|
2018-07-25 02:02:27 +00:00
|
|
|
|
auto_auth {
|
2021-03-22 16:50:59 +00:00
|
|
|
|
method "aws" {
|
|
|
|
|
mount_path = "auth/aws-subaccount"
|
|
|
|
|
config = {
|
|
|
|
|
type = "iam"
|
|
|
|
|
role = "foobar"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sink "file" {
|
|
|
|
|
config = {
|
|
|
|
|
path = "/tmp/file-foo"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sink "file" {
|
|
|
|
|
wrap_ttl = "5m"
|
|
|
|
|
aad_env_var = "TEST_AAD_ENV"
|
|
|
|
|
dh_type = "curve25519"
|
|
|
|
|
dh_path = "/tmp/file-foo-dhpath2"
|
|
|
|
|
config = {
|
|
|
|
|
path = "/tmp/file-bar"
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-07-25 02:02:27 +00:00
|
|
|
|
}
|
2019-03-15 16:33:31 +00:00
|
|
|
|
|
|
|
|
|
cache {
|
2021-03-22 16:50:59 +00:00
|
|
|
|
use_auto_auth_token = true
|
2019-03-20 16:42:31 +00:00
|
|
|
|
}
|
2019-03-15 16:33:31 +00:00
|
|
|
|
|
2019-03-20 16:42:31 +00:00
|
|
|
|
listener "unix" {
|
2021-03-22 16:50:59 +00:00
|
|
|
|
address = "/path/to/socket"
|
|
|
|
|
tls_disable = true
|
2019-03-20 16:42:31 +00:00
|
|
|
|
}
|
2019-03-15 16:33:31 +00:00
|
|
|
|
|
2019-03-20 16:42:31 +00:00
|
|
|
|
listener "tcp" {
|
2021-03-22 16:50:59 +00:00
|
|
|
|
address = "127.0.0.1:8100"
|
|
|
|
|
tls_disable = true
|
2019-03-15 16:33:31 +00:00
|
|
|
|
}
|
Vault Agent Template (#7652)
* Vault Agent Template: parse templates (#7540)
* add template config parsing, but it's wrong b/c it's not using mapstructure
* parsing consul templates in agent config
* add additional test to configuration parsing, to cover basics
* another test fixture, rework simple test into table
* refactor into table test
* rename test
* remove flattenKeys and add other test fixture
* Update command/agent/config/config.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* return the decode error instead of swallowing it
* Update command/agent/config/config_test.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* go mod tidy
* change error checking style
* Add agent template doc
* TemplateServer: render secrets with Consul Template (#7621)
* add template config parsing, but it's wrong b/c it's not using mapstructure
* parsing consul templates in agent config
* add additional test to configuration parsing, to cover basics
* another test fixture, rework simple test into table
* refactor into table test
* rename test
* remove flattenKeys and add other test fixture
* add template package
* WIP: add runner
* fix panic, actually copy templates, etc
* rework how the config.Vault is created and enable reading from the environment
* this was supposed to be a part of the prior commit
* move/add methods to testhelpers for converting some values to pointers
* use new methods in testhelpers
* add an unblock channel to block agent until a template has been rendered
* add note
* unblock if there are no templates
* cleanups
* go mod tidy
* remove dead code
* simple test to starT
* add simple, empty templates test
* Update package doc, error logs, and add missing close() on channel
* update code comment to be clear what I'm referring to
* have template.NewServer return a (<- chan) type, even though it's a normal chan, as a better practice to enforce reading only
* Update command/agent.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* update with test
* Add README and doc.go to the command/agent directory (#7503)
* Add README and doc.go to the command/agent directory
* Add link to website
* address feedback for agent.go
* updated with feedback from Calvin
* Rework template.Server to export the unblock channel, and remove it from the NewServer function
* apply feedback from Nick
* fix/restructure rendering test
* Add pointerutil package for converting types to their pointers
* Remove pointer helper methods; use sdk/helper/pointerutil instead
* update newRunnerConfig to use pointerutil and empty strings
* only wait for unblock if template server is initialized
* drain the token channel in this test
* conditionally send on channel
2019-10-18 21:21:46 +00:00
|
|
|
|
|
|
|
|
|
template {
|
2021-03-22 16:50:59 +00:00
|
|
|
|
source = "/etc/vault/server.key.ctmpl"
|
Vault Agent Template (#7652)
* Vault Agent Template: parse templates (#7540)
* add template config parsing, but it's wrong b/c it's not using mapstructure
* parsing consul templates in agent config
* add additional test to configuration parsing, to cover basics
* another test fixture, rework simple test into table
* refactor into table test
* rename test
* remove flattenKeys and add other test fixture
* Update command/agent/config/config.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* return the decode error instead of swallowing it
* Update command/agent/config/config_test.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* go mod tidy
* change error checking style
* Add agent template doc
* TemplateServer: render secrets with Consul Template (#7621)
* add template config parsing, but it's wrong b/c it's not using mapstructure
* parsing consul templates in agent config
* add additional test to configuration parsing, to cover basics
* another test fixture, rework simple test into table
* refactor into table test
* rename test
* remove flattenKeys and add other test fixture
* add template package
* WIP: add runner
* fix panic, actually copy templates, etc
* rework how the config.Vault is created and enable reading from the environment
* this was supposed to be a part of the prior commit
* move/add methods to testhelpers for converting some values to pointers
* use new methods in testhelpers
* add an unblock channel to block agent until a template has been rendered
* add note
* unblock if there are no templates
* cleanups
* go mod tidy
* remove dead code
* simple test to starT
* add simple, empty templates test
* Update package doc, error logs, and add missing close() on channel
* update code comment to be clear what I'm referring to
* have template.NewServer return a (<- chan) type, even though it's a normal chan, as a better practice to enforce reading only
* Update command/agent.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* update with test
* Add README and doc.go to the command/agent directory (#7503)
* Add README and doc.go to the command/agent directory
* Add link to website
* address feedback for agent.go
* updated with feedback from Calvin
* Rework template.Server to export the unblock channel, and remove it from the NewServer function
* apply feedback from Nick
* fix/restructure rendering test
* Add pointerutil package for converting types to their pointers
* Remove pointer helper methods; use sdk/helper/pointerutil instead
* update newRunnerConfig to use pointerutil and empty strings
* only wait for unblock if template server is initialized
* drain the token channel in this test
* conditionally send on channel
2019-10-18 21:21:46 +00:00
|
|
|
|
destination = "/etc/vault/server.key"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
template {
|
2021-03-22 16:50:59 +00:00
|
|
|
|
source = "/etc/vault/server.crt.ctmpl"
|
Vault Agent Template (#7652)
* Vault Agent Template: parse templates (#7540)
* add template config parsing, but it's wrong b/c it's not using mapstructure
* parsing consul templates in agent config
* add additional test to configuration parsing, to cover basics
* another test fixture, rework simple test into table
* refactor into table test
* rename test
* remove flattenKeys and add other test fixture
* Update command/agent/config/config.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* return the decode error instead of swallowing it
* Update command/agent/config/config_test.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* go mod tidy
* change error checking style
* Add agent template doc
* TemplateServer: render secrets with Consul Template (#7621)
* add template config parsing, but it's wrong b/c it's not using mapstructure
* parsing consul templates in agent config
* add additional test to configuration parsing, to cover basics
* another test fixture, rework simple test into table
* refactor into table test
* rename test
* remove flattenKeys and add other test fixture
* add template package
* WIP: add runner
* fix panic, actually copy templates, etc
* rework how the config.Vault is created and enable reading from the environment
* this was supposed to be a part of the prior commit
* move/add methods to testhelpers for converting some values to pointers
* use new methods in testhelpers
* add an unblock channel to block agent until a template has been rendered
* add note
* unblock if there are no templates
* cleanups
* go mod tidy
* remove dead code
* simple test to starT
* add simple, empty templates test
* Update package doc, error logs, and add missing close() on channel
* update code comment to be clear what I'm referring to
* have template.NewServer return a (<- chan) type, even though it's a normal chan, as a better practice to enforce reading only
* Update command/agent.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* update with test
* Add README and doc.go to the command/agent directory (#7503)
* Add README and doc.go to the command/agent directory
* Add link to website
* address feedback for agent.go
* updated with feedback from Calvin
* Rework template.Server to export the unblock channel, and remove it from the NewServer function
* apply feedback from Nick
* fix/restructure rendering test
* Add pointerutil package for converting types to their pointers
* Remove pointer helper methods; use sdk/helper/pointerutil instead
* update newRunnerConfig to use pointerutil and empty strings
* only wait for unblock if template server is initialized
* drain the token channel in this test
* conditionally send on channel
2019-10-18 21:21:46 +00:00
|
|
|
|
destination = "/etc/vault/server.crt"
|
|
|
|
|
}
|
2018-07-25 02:02:27 +00:00
|
|
|
|
```
|
2019-03-15 16:33:31 +00:00
|
|
|
|
|
2020-01-22 20:05:41 +00:00
|
|
|
|
[vault]: /docs/agent#vault-stanza
|
|
|
|
|
[autoauth]: /docs/agent/autoauth
|
|
|
|
|
[caching]: /docs/agent/caching
|
2021-06-21 23:10:15 +00:00
|
|
|
|
[persistent-cache]: /docs/agent/caching/persistent-caches
|
2020-01-22 20:05:41 +00:00
|
|
|
|
[template]: /docs/agent/template
|
2021-06-21 23:10:15 +00:00
|
|
|
|
[template-config]: /docs/agent/template-config
|
2022-02-25 10:29:05 +00:00
|
|
|
|
[agent-api]: /docs/agent/#agent_api-stanza
|
2020-01-22 20:05:41 +00:00
|
|
|
|
[listener]: /docs/agent#listener-stanza
|
|
|
|
|
[listener_main]: /docs/configuration/listener/tcp
|
2021-04-19 18:36:43 +00:00
|
|
|
|
[winsvc]: /docs/agent/winsvc
|
2022-02-18 01:10:26 +00:00
|
|
|
|
[telemetry]: /docs/configuration/telemetry
|